A Practical Guide to Auditing Android App Permissions: What I Found in Apps I Trusted

I spent a weekend systematically reviewing the permissions granted to every app on my Android phone. The results were not particularly alarming in a security-breach sense, but they were eye-opening. Several apps I had been using for years—some from well-known developers—were requesting access to my camera, microphone, or contacts without any obvious need. One utility app wanted to read my call log. Another, a simple note-taking tool, asked for precise location. None of these requests were malicious in the traditional sense; they were simply overreaching. And because I had never bothered to audit my permissions, they had been silently collecting data I never intended to share.

This article walks through what I found and, more importantly, how you can check your own device in about fifteen minutes.

What Happened During the Audit

I opened Settings > Privacy > Permission Manager on my Pixel phone running Android 14. This screen lists every permission type—Camera, Microphone, Location, Contacts, SMS, Phone, etc.—and shows which apps have access. I went through each category, looking specifically for apps where the permission did not match the app’s core function.

Within half an hour, I identified ten apps with questionable permission requests. I deleted five of them entirely (including a flashlight app and a wallpaper app that had no business reading my contacts). For the remaining five, I changed permissions from “Allow all the time” to “Only while using the app” or simply revoked them.

The most common red flags were:

  • Camera and microphone access in apps that do not take photos, record video, or capture audio (e.g., a barcode scanner that did not need to access the camera except when used, but had been granted “Allow all the time”).
  • Location access in weather apps that could work with a manual city selection.
  • Contact access in games and social media companion apps that had no communication feature.

None of these apps were obviously malicious. They were popular, well-reviewed apps from reputable publishers. But the permissions were still unnecessarily broad.

Why This Matters

Every unnecessary permission is a potential privacy leakage. Apps can collect your location history, listen for audio triggers, or scan your contact list in the background. While Android’s permission model has improved significantly—especially with granular controls in Android 11 and the “recent permission usage” feature in Android 14—the burden of enforcement remains on the user. Google Play Protect scans apps for known malware, but it does not comprehensively audit permission appropriateness. A legitimate app can still over-collect data if you allow it.

The risk is not only about targeted advertising or data brokers. Aggregating location and contact data over time can create a detailed profile that can be exploited in social engineering attacks, identity theft, or phishing scams. The more data an app has access to, the larger the surface area for a potential breach.

What Readers Can Do Right Now

You do not need to spend a whole weekend—fifteen minutes will get you most of the way. Here is the step-by-step process for Android 11 and later:

  1. Open Settings > Privacy > Permission Manager (or search “permission manager” in settings).
  2. Tap each permission category (e.g., Camera, Microphone, Location, Contacts, SMS).
  3. Review the list of apps that have access. Ask yourself: “Does this app truly need this permission to work?”
  4. For each app you consider overreaching, tap the app name and change the permission to “Only while using the app” or “Deny.”

A few specific tips:

  • Flashlight apps: They should not need camera or location. Delete them and use the built-in flashlight toggle in your quick settings.
  • Weather apps: Prefer apps that allow manual city selection rather than background location.
  • Social media and communication apps: They often request contacts, camera, and microphone—these are reasonable for core features. But check if they request SMS or Phone access unnecessarily; many do not need it.

Bonus step: Enable Auto-revoke permissions for unused apps. This is available in Settings > Privacy > Permission Manager (the three-dot menu). When enabled, Android will automatically remove permissions from apps you haven’t opened in a few months. This is a low-effort way to reduce exposure.

If you are on Android 14, you can also use the “Recently used permissions” section in the Permission Manager to see which apps have been accessing sensitive data frequently. If an app you rarely open is still pinging your location, that is a strong sign to revoke.

Sources and Further Reading

  • The original Android Police article that inspired this check: “I spent a weekend reviewing Android app permissions and deleted 5 apps I thought I could trust” (Android Police, June 2025).
  • Google’s official documentation on managing app permissions: Android Help – App permissions.

I recommend performing this audit every few months. Permissions change after app updates, and new installations can quietly add permissions you never explicitly granted. It is a simple, free habit that meaningfully reduces your digital exposure.